Damus
Open in Damus
jb55 profile picture
jb55
@jb55
password managers generate a unique password for each website. this means if one of your passwords leaks it won't compromise any of your other website logins.

nostr-login is a regression: if you leak your nsec then they have access to every website that you've ever logged in to.

using your npub for logging into everything is a really bad idea security wise, please be conscious of this before implementing or pushing this as a login solution to websites which may contain sensitive information.
9743❤️95🤙44💜9👍5🎯3🚀3
Lennart · 91w
Not if you use 2FA.
pbl · 91w
could nwc or did help?
amos · 91w
Its a bit better than using a single password, since that password gets stored on many server side databases with varying security. At least with your nsec, it never gets sent over the internet to a server. It stays on your computer. Still a bad idea to use it to log into everything though.
John Gold · 91w
Just have many nyms (npubs) managed by a password manager with a master password :-)
Seeker Erebus · 91w
We've needed a master/slave system for npubs for a while now. This just further reinforces it. In case you don't know what I mean, you have your daily use npub(s) the nsec(s) of which will often be on hot devices, and then you have an npub the nsec of which is a cold key treated with the same secur...
Oren ☂️ #BIP-128 · 91w
Is there a NIP for a “kill switch” event? Something that would say “My nsec has been compromised”. Relays and authentication mechanisms could ignore any further events from this nsec.
rewolf · 91w
Can we do something like derived keys? I know not much about cryptography. But would be cool if we could generate child keypairs from a master keypair. And you can somehow revoke/cancel a leaked child key by providing a new child key of the same parent/master.
BitcoinAddict · 91w
The npub should only serve as something to identify you. To actually login you should sign a message with your private key. Some kind of extension perhaps. Password managers also have a single point of failure which is the password to get in the manager.
Tim Bouma · 91w
lud04 handled that well. A new private/pubkey was derived by the wallet for each domain you logged into. Since an npub is more like an identity than an identifier if you have concerns you can generate or derive a new npub for each site you log into.
kepford · 91w
Thanks for pointing this out. From the comments it is clear much education on security is needed. Its always tradeoffs but one needs to understand them.
Evan · 91w
Thoughts on revokable single-use passwords tied to your nsec? Create it, use it, you’re logged in until you log out, revoke it, or the cookie expires. Create a new one to log in next time. All tied to your nsec, without revealing it. There’s lots of shit wrong with Bluesky, but this feature ...
Stirling Forge · 91w
We need deriviative keys.
the axiom · 91w
passwords leak because they're stored in a database at each different website nsecs never leave your device
the axiom · 91w
what if your password manager database leaks?
Slipstream · 91w
I don't see how it's any different from a password manager. You don't give your nsec to every service, you just use it to authenticate your identity. Yes if you get your master key compromised you are pwned but that's literally the same as having your password manager vault compromised.
frphank · 91w
People don't put their nsec into "many different apps". I'm not using nostr logins but don't they use something like nsec.app. Like 1 app for many websites. I think there's something you haven't understood.
Creediator · 91w
Passwordless.
DETERMINISTIC OPTIMISM 🌞 · 91w
HD?